Operating System 14 COMPUTER SECURITY THREATS. 14.1 COMPUTER SECURITY CONCEPTS. • Confidentiality: This term covers two related concepts: — Data1 confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals
Operating System 14COMPUTER SECURITY THREATS
• Confidentiality: This term covers two related concepts:
confidentiality: Assures that private or confidential information is
not made available or disclosed to unauthorized individuals
—Privacy: Assures that individuals control or influence what information re-
lated to them may be collected and stored and by whom and to whom that
information may be disclosed
• Integrity: This term covers two related concepts:
—Data integrity: Assures that information and programs are changed only in
a specified and authorized manner
—System integrity: Assures that a system performs its intended function in an
unimpaired manner,free from deliberate or inadvertent unauthorized ma-
nipulation of the system
• Availability: Assures that systems work promptly and service is not denied to
• Confidentiality: Preserving authorized restrictions on information access anddisclosure,including means for protecting personal privacy and proprietaryinformation.A loss of confidentiality is the unauthorized disclosure ofinformation.
• Integrity: Guarding against improper information modification or destruction,including ensuring information non-repudiation and authenticity.A loss of in-tegrity is the unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information.Aloss of availability is the disruption of access to or use of information or an in-formation system.
is a threat to confidentiality.The followingtypes ofattacks can result in this threat consequence:
Exposure: This can be deliberate,as when an insider intentionally releasessensitive information,such as credit card numbers,to an outsider.It can alsobe the result of a human,hardware,or software error,which results in an entitygaining unauthorized knowledge of sensitive data.There have been numerousinstances of this,such as universities accidentally posting student confidentialinformation on the Web.
Interception: Interception is a common attack in the context of communications.On a shared local area network (LAN),such as a wireless LAN or abroadcast Ethernet,any device attached to the LAN can receive a copy ofpackets intended for another device.On the Internet,a determined hacker cangain access to e-mail traffic and other data transfers.All of these situations create the potential for unauthorized access to data.
Inference: An example of inference is known as traffic analysis,in which anadversary is able to gain information from observing the pattern of traffic on anetwork,such as the amount of traffic between particular pairs of hosts on thenetwork.Another example is the inference of detailed information from adatabase by a user who has only limited access;this is accomplished by repeated queries whose combined results enable inference.
Intrusion: An example of intrusion is anadversary gaining unauthorized access to sensitive data by overcoming the system’s access control protections.
is a threat to either system integrity or data integrity.Thefollowingtypes of attacks can result in this threat consequence:
• Masquerade: One example of masquerade is an attempt by an unauthorized user to gain access to a system by posing as an authorized user;thiscould happen if the unauthorized user has learned another user’s logon IDand password.Another example is malicious logic,such as a Trojan horse,that appears to perform a useful or desirable function but actually gainsunauthorized access to system resources or tricks a user into executingother malicious logic.
• Falsification: This refers to the altering or replacing of valid data or the introduction of false data into a file or database.For example,a student my alter hisor her grades on a school database.
• Repudiation: In this case,a user either denies sending data or a user denies receiving or possessing the data.
Disruption is a threat to availability or system integrity.The following types ofattacks can result in this threat consequence:
• Incapacitation: This is an attack on system availability.This could occur as aresult of physical destruction of or damage to system hardware.More typically,malicious software,such as Trojan horses,viruses,or worms,could operate insuch a way as to disable a system or some of its services.
• Corruption: This is an attack on system integrity.Malicious software in thiscontext could operate in such a way that system resources or services functionin an unintended manner.Or a user could gain unauthorized access to asystem and modify some of its functions.An example of the latter is a userplacing backdoor logic in the system to provide subsequent access to a systemand its resources by other than the usual procedure.
• Obstruction: One way to obstruct system operation is to interfere withcommunicationsby disabling communication links or alteringcommunication controlinformation.Another way is to overload the system by placing excess burdenoncommunication traffic or processingresources.
is a threat to system integrity.The following types of attacks canresult in this threat consequence:
• Misappropriation: This can include theft of service.An example is an a distributed denial of service attack,when malicious software is installed on a numberof hosts to be used as platforms to launch traffic at a target host.In this case,the malicious software makes unauthorized use of processor and operatingsystem resources.
• Misuse: Misuse can occur either by means of malicious logic or a hacker thathas gained unauthorized access to a system.In either case,security functionscan be disabled or thwarted.
The assets of a computer system can be categorizedashardware,software,data,andcommunication lines and networks.
• Masquerader: An individual who is not authorized to use the computer andwho penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data,programs,or resources forwhich such access is not authorized,or who is authorized for such access butmisuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the systemand uses this control to evade auditing and access controls or to suppress auditcollection
Intruder Behavior Patterns
The techniques and behavior patterns of intruders areconstantly shifting,to exploitnewly discoveredweaknesses and to evade detection andcountermeasures.Evenso,intruders typically follow one of a number of recognizable behavior patterns,andthese patterns typically differ from those of ordinary users.In the following,we lookat three broad examples of intruder behavior patterns to give the reader some feelfor the challenge facing the security administrator.
Hackers Traditionally,those who hack into computers do so for the thrill of it orfor status.The hacking community is a strong meritocracy in which status is determined by level of competence.
Criminals Organized groups of hackers have become a widespread and commonthreat to Internet-based systems.These groups can be in the employ of a corporation or government but often are loosely affiliatedgangs of hackers.Typically,these
Insider Attacks are among the most difficult to detect and prevent.Employees already have access to and knowledge of the structure and content of corporate databases.Insider attacks can be motivated by revenge or simply a feeling ofentitlement.An example of the former is the case of Kenneth Patterson,fired from his
Perhaps the most sophisticated types of threats to computer systems are presented byprograms that exploit vulnerabilities in computing systems.Such threats are referredto as malicious software,or malware.In this context,we are concerned with application programs as well as utility programs,such as editors and compilers.Malware issoftware designed to cause damage to or use up the resources of a target computer.Itis frequently concealed within or masquerades as legitimate software.In some cases,itspreads itself to other computers via e-mail or infected floppy disks.
A computer virus is a piece of software that can “infect”other programs by modifying them;the modification includes injecting the original program with a routine to make copies of the virus program,which can then go on to infect otherprograms.
There has been a continuous arms race between viruswriters and writers of antivirus software since viruses first appeared.As effectivecountermeasures are developed for existing types of viruses,newer types are developed.There is no simple or universally agreed upon classification scheme forviruses,In this section,we follow [AYCO06] and classify viruses along two orthogonal axes:the type of target the virus tries to infect and the method the virus usesto conceal itself from detection by users and antivirus software.
• Boot sector infector: Infects a master boot record or boot record and spreadswhen a system is booted from the disk containing the virus
• File infector: Infects files that the operating system or shell consider to be executable
• Macro virus: Infects files with macro code that is interpreted by an application
• Encrypted virus: A typical approach is as follows.A portion of the virus creates a random encryption key and encrypts the remainder of the virus.The keyis stored with the virus.When an infected program is invoked,the virus usesthe stored random key to decrypt the virus.When the virus replicates,a different random key is selected.Because the bulk of the virus is encrypted with adifferent key for each instance,there is no constant bit pattern to observe.
• Stealth virus: A form of virus explicitly designed to hide itself from detectionby antivirus software.Thus,the entire virus,not just a payload,is hidden.
• Polymorphic virus: A virus that mutates with every infection,making detection by the “signature”of the virus impossible.
• Metamorphic virus: As with a polymorphic virus,a metamorphic virus mutateswith every infection.The difference is that a metamorphic virus rewrites itselfcompletely at each iteration,increasing the difficulty of detection.Metamorphic viruses may change their behavior as well as their appearance.
A worm is a program that can replicate itself and send copies from computer tocomputer across network connections.Upon arrival,the worm may be activated toreplicate and propagate again.In addition to propagation,the worm usually performs some unwanted function.An e-mail virus has some of the characteristics of aworm because it propagates itself from system to system.However,we can still classify it as a virus because it uses a document modified to contain viral macro contentand requires human action.A worm actively seeks out more machines to infect andeach machine that is infected serves as an automated launching pad for attacks onother machines.
worm uses some sort of network vehicle.Examples include the following:
• Electronic mail facility: A worm mails a copy of itself to other systems,so thatits code is run when the e-mail or an attachment is received or viewed.
• Remote execution capability: A worm executes a copy of itself on another system,either using an explicit remote execution facility or by exploiting a program flaw in a network service to subvert its operations (such as bufferoverflow,described in Chapter 7).
• Remote login capability: A worm logs onto a remote system as a user and thenuses commands to copy itself from one system to the other,where it thenexecutes.
shows the dynamics for one typical set of parameters.Propagation proceeds through three phases.In the initial phase,the number of hosts increases exponentially.To see that this is so,consider a simplified case in which a worm islaunched from a single host and infects two nearby hosts.Each of these hosts infectstwo more hosts,and so on.This results in exponential growth.After a time,infectinghosts waste some time attacking already infected hosts,which reduces the rate ofinfection.During this middle phase,growth is approximately linear,but the rateofinfection is rapid.When most vulnerable computers have been infected,theattack enters a slow finish phase as the worm seeks out those remaining hosts thatare difficult to identify.
• Multiplatform: Newer worms are not limited to Windows machines but can attack a variety of platforms,especially the popular varieties of UNIX.
• Multiexploit: New worms penetrate systems in a variety of ways,using exploitsagainst Web servers,browsers,e-mail,filesharing,and other network-basedapplications.
• Ultrafast spreading: One technique to accelerate the spread of a worm is toconduct a prior Internet scan to accumulate Internet addresses of vulnerablemachines.
• Polymorphic: To evade detection,skip past filters,and foil real-time analysis,worms adopt the virus polymorphic technique.Each copy of the worm hasnew code generated on the fly using functionally equivalent instructions andencryption techniques.
• Metamorphic: In addition to changing their appearance,metamorphic wormshave a repertoire of behavior patterns that are unleashed at different stages ofpropagation.
• Transport vehicles: Because worms can rapidly compromise a large number ofsystems,they are ideal for spreading other distributed attack tools,such as distributed denial of service bots.
• Zero-day exploit: To achieve maximum surprise and distribution,a wormshould exploit an unknown vulnerability that is only discovered by the generalnetwork community when the worm is launched.
A bot (robot),also known as a zombie or drone,is a program that secretly takesover another Internet-attached computer and then uses that computer to launchattacks that are difficult to trace to the bot’s creator.The bot is typically planted onhundreds or thousands of computers belonging to unsuspecting third parties.Thecollection of bots often is capable of acting in a coordinated manner;such a collection is referred to as a botnet.
• Distributed denial-of-service attacks: A DDoS attack is an attack on a computer system or network that causes a loss of service to users.
• Spamming:With the help of a botnet and thousands of bots,an attacker is ableto send massive amounts of bulk e-mail (spam).
• Sniffing traffic: Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine.The sniffers are mostly used toretrieve sensitive information like usernames and passwords.
• Keylogging: If the compromised machine uses encrypted communicationchannels (e.g.HTTPS or POP3S),then just sniffing the network packets on thevictim’s computer is useless because the appropriate key to decrypt the packets is missing.But by using a keylogger,which captures keystrokes on theinfected machine,an attacker can retrieve sensitive information.An implemented filtering mechanism (e.g.,“I am only interested in key sequences nearthe keyword ‘paypal.com’”) further helps in stealing secret data.
• Spreading new malware: Botnets are used to spread new bots.This is very easysince all bots implement mechanisms to download and execute a file viaHTTP or FTP.A botnet with 10,000 hosts that acts as the start base for a wormor mail virus allows very fast spreading and thus causes more harm.
• Installing advertisement add-ons and browser helper objects (BHOs): Botnetscan also be used to gain financial advantages.This works by setting up a fakeWeb site with some advertisements:The operator of this Web site negotiates adeal with some hosting companies that pay for clicks on ads.With the help of abotnet,these clicks can be “automated”so that instantly a few thousand botsclick on the pop-ups.This process can be further enhanced if the bot hijacks thestart page of a compromised machine so that the “clicks”are executed each timethe victim uses the browser.
• Attacking IRC chat networks: Botnets are also used for attacks against Internet relay chat (IRC) networks.Popular among attackers is especially the so-called clone attack:In this kind of attack,the controller orders each bot toconnect a large number of clones to the victim IRC network.The victim isflooded by service request from thousands of bots or thousands of channel-joins by these cloned bots.In this way,the victim IRC network is broughtdown,similar to a DDoS attack.
• Manipulating online polls/games: Online polls/games are getting more andmore attention and it is rather easy to manipulate them with botnets.Sinceevery bot has a distinct IP address,every vote will have the same credibility asa vote cast by a real person.Online games can be manipulated in a similar way.
A rootkit is a set of programs installed on a system to maintain administrator (orroot) access to that system.Root access provides access to all the functions and services of the operating system.The rootkit alters the host’s standard functionality ina malicious and stealthy way.With root access,an attacker has complete control ofthe system and can add or changes programs and files,monitorprocesses,send andreceive network traffic,and get backdoor access on demand.
• Modify the system call table: The attacker modifies selected syscall addressesstored in the system call table.This enables the rootkit to direct a system callaway from the legitimate routine to the rootkit’s replacement.Figure 14.6shows how the knark rootkit achieves this.
• Modify system call table targets: The attacker overwrites selected legitimatesystem call routines with malicious code.The system call table is not changed.
• Redirect the system call table: The attacker redirects references to the entiresystem call table to a new table in a new kernel memory location.